From 21423c9003766a27adb27d32b4a0da20d63ba325 Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Fri, 24 Oct 2025 10:42:32 -0700 Subject: [PATCH] Remove DANGEROUSLY_OMIT_AUTH from dev scripts The `DANGEROUSLY_OMIT_AUTH=true` allows any website visited by a developer to maliciously attack the MCP server running locally on the dev machine, achieving remote code execution. https://www.tenable.com/blog/how-tenable-research-discovered-a-critical-remote-code-execution-vulnerability-on-anthropic --- packages/agent-infra/mcp-servers/browser/package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/agent-infra/mcp-servers/browser/package.json b/packages/agent-infra/mcp-servers/browser/package.json index 869bbe19da..fdfd7c0218 100644 --- a/packages/agent-infra/mcp-servers/browser/package.json +++ b/packages/agent-infra/mcp-servers/browser/package.json @@ -37,9 +37,9 @@ ], "scripts": { "build": "shx rm -rf dist && rslib build && shx chmod +x dist/*.{js,cjs}", - "dev": "DANGEROUSLY_OMIT_AUTH=true npx -y @modelcontextprotocol/inspector tsx src/index.ts", + "dev": "npx -y @modelcontextprotocol/inspector tsx src/index.ts", "dev:server": "tsx --watch src/index.ts --port 3000 --vision", - "dev:vision": "DANGEROUSLY_OMIT_AUTH=true npx -y @modelcontextprotocol/inspector tsx src/index.ts --vision", + "dev:vision": "npx -y @modelcontextprotocol/inspector tsx src/index.ts --vision", "prepare": "npm run build", "prepublishOnly": "tsx scripts/update-readme.ts", "test": "vitest run --config=./vitest.config.mts",